Table of Contents

KoreK chopchop

Description

This attack, when successful, can decrypt a WEP data packet without knowing the key. It can even work against dynamic WEP. This attack does not recover the WEP key itself, but merely reveals the plaintext. However, some access points are not vulnerable to this attack. Some may seem vulnerable at first but actually drop data packets shorter that 60 bytes. If the access point drops packets shorter than 42 bytes, aireplay tries to guess the rest of the missing data, as far as the headers are predictable. If an IP packet is captured, it additionally checks if the checksum of the header is correct after guessing the missing parts of it. This attack requires at least one WEP data packet.

If you wish to learn more about the theory behind this attack, see ChopchopTheory.

Usage

aireplay-ng -4 -h 00:09:5B:EC:EE:F2 -b 00:14:6C:7E:40:80 ath0

Where:

-4 means the chopchop attack

-h 00:09:5B:EC:EE:F2 is the MAC address of an associated client or your card's MAC if you did fake authentication

-b 00:14:6C:7E:40:80 is the access point MAC address

ath0 is the wireless interface name

Although it is not shown, you may use any of the other aireplay-ng filters. The main page of aireplay-ng has the complete list. Additional typical filters could be the -m and -n to set the minimum and maximum packet sizes to select.

If the “-h” option is omitted, then a unauthenticated chopchop attack is performed. See the example below for more details.

Usage Examples

Example with sample output

This is an example an authenticated chopchop attack. Meaning you must first perform a fake authentication and use the source MAC with the “-h” option. Essentially this causes all packets to be sent with the source MAC specified by “-h” and the destination MAC will vary with 256 combinations.

aireplay-ng -4 -h 00:09:5B:EC:EE:F2 -b 00:14:6C:7E:40:80 ath0

Where:

-4 means the chopchop attack

-h 00:09:5B:EC:EE:F2 is the MAC address of our card and must match the MAC used in the fake authentication

Success! The file “replay_dec-0201-191706.xor” above can then be used in the next step to generate a packet with packetforge-ng such as an arp packet. You may also use tcpdump or Wireshark to view the decrypted packet which is stored in replay_dec-0201-191706.cap.

Chopchop Without Authentication

This is an example of chopchop attack without authentication. Meaning you do not need to perform a fake authentication first and you omit the “-h” option. Essentially this causes all packets to be sent with the 256 random source MAC addresses and a broadcast destination MAC.

This only works with a very limited number Access Points (AP). For APs which are vulnerable, they will only send a deauthentication packet if the source packet was valid. If this is the case, then one byte has been successfully determined.

aireplay-ng -4 -b 00:14:6C:7E:40:80 ath0

Where:

-4 means the chopchop attack

-b 00:14:6C:7E:40:80 is the access point MAC address

ath0 is the wireless interface name

Generating an ARP packet

1. First, we decrypt one packet

aireplay-ng -4 ath0

If this isn't successful, in most cases the access point just drops the data because it does not know the MAC which is sending it. In this case we have to use the MAC adress of a connected client which is allowed to send data over the network:

3. Then, forge an ARP request
The source IP (192.168.1.100) doesn't matter, but the destination IP (192.168.1.2) must respond to ARP requests. The source MAC must belong to an associated station, in case the access point is filtering unauthenticated traffic.